registry  /  @kurumera/cli  /  0.1.4

@kurumera/cli@0.1.4

Kurumera CLI — login, scaffold, dev, check, push, preview, publish.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 27 file(s), 39.8 KB of source, external domains: 127.0.0.1, admin.kurumera.com, kurumera.com, themekit.kurumera.com

Source & flagged code

5 flagged · loading source
dist/commands/preview.jsView file
1import { spawn } from "node:child_process"; L2: import { readConfig } from "../util/config.js";
High
Child Process

Package source references child process execution.

dist/commands/preview.jsView on unpkg · L1
1import { spawn } from "node:child_process"; L2: import { readConfig } from "../util/config.js"; L3: const PUSH_URL = (process.env.KURUMERA_PUSH_URL || "https://themekit.kurumera.com/_push").replace(/\/+$/, ""); L4: function openBrowser(url) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/preview.jsView on unpkg · L1
1import { spawn } from "node:child_process"; L2: import { readConfig } from "../util/config.js"; L3: const PUSH_URL = (process.env.KURUMERA_PUSH_URL || "https://themekit.kurumera.com/_push").replace(/\/+$/, ""); L4: function openBrowser(url) { L5: try { L6: if (process.platform === "win32") { L7: spawn("cmd", ["/c", "start", "", url.replace(/&/g, "^&")], { stdio: "ignore", detached: true, windowsVerbatimArguments: true }).unref(); ... L20: const store = flag(args, "--store") || cfg.defaultStore || ""; L21: process.stdout.write("Waiting for the build"); L22: let previewUrl = ""; ... L26: const r = await fetch(`${PUSH_URL}/status`, { headers: cfg.authToken ? { Authorization: `Bearer ${cfg.authToken}` } : {} }); L27: s = (await r.json());
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/preview.jsView on unpkg · L1
dist/commands/dev.jsView file
33console.log(`▸ Starting theme dev${store ? ` for "${store}"` : ""} (via ${how}) → http://localhost:3000`); L34: // `shell: true` so it works cross-platform — and so Node 24 can spawn npm on L35: // Windows (spawning npm.cmd directly throws EINVAL since a Node security fix).
High
Shell

Package source references shell execution.

dist/commands/dev.jsView on unpkg · L33
matchType = previous_version_dangerous_delta matchedPackage = @kurumera/cli@0.1.2 matchedIdentity = npm:QGt1cnVtZXJhL2NsaQ:0.1.2 similarity = 0.923 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/dev.jsView on unpkg

Findings

5 High3 Medium5 Low
HighChild Processdist/commands/preview.js
HighShelldist/commands/dev.js
HighSame File Env Network Executiondist/commands/preview.js
HighSandbox Evasion Gated Capabilitydist/commands/preview.js
HighPrevious Version Dangerous Deltadist/commands/dev.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License